1 / 36

Review and Announcement

Review and Announcement. Ethernet Ethernet CSMA/CD algorithm Hubs, bridges, and switches Hub: physical layer Can’t interconnect 10BaseT & 100BaseT Bridges and switches: data link layers Wireless links and LANs 802.11 a, b, g. All use CSMA/CA for multiple access

darva
Download Presentation

Review and Announcement

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Review and Announcement • Ethernet • Ethernet CSMA/CD algorithm • Hubs, bridges, and switches • Hub: physical layer • Can’t interconnect 10BaseT & 100BaseT • Bridges and switches: data link layers • Wireless links and LANs • 802.11 a, b, g. • All use CSMA/CA for multiple access • Homework 4 due tonight so that we can discuss it in final review tomorrow • Final review in Thu. Class • Final 3/16 (Th) 12:30-2:00pm

  2. Network Security Overview • What is network security? • Principles of cryptography • Authentication • Access control: firewalls • Attacks and counter measures • Part of the final

  3. What is network security? Confidentiality: only sender, intended receiver should “understand” message contents • sender encrypts message • receiver decrypts message Authentication: sender, receiver want to confirm identity of each other Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection Access and Availability: services must be accessible and available to users

  4. Friends and enemies: Alice, Bob, Trudy • well-known in network security world • Bob, Alice (lovers!) want to communicate “securely” • Trudy (intruder) may intercept, delete, add messages Alice Bob data, control messages channel secure sender secure receiver data data Trudy

  5. Who might Bob, Alice be? • … well, real-life Bobs and Alices! • Web browser/server for electronic transactions (e.g., on-line purchases) • on-line banking client/server • DNS servers • routers exchanging routing table updates • other examples?

  6. There are bad guys (and girls) out there! Q: What can a “bad guy” do? A: a lot! • eavesdrop: intercept messages • actively insert messages into connection • impersonation: can fake (spoof) source address in packet (or any field in packet) • hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in place • denial of service: prevent service from being used by others (e.g., by overloading resources) more on this later ……

  7. Overview • What is network security? • Principles of cryptography • Authentication • Access control: firewalls • Attacks and counter measures

  8. K K A B The language of cryptography Alice’s encryption key Bob’s decryption key symmetric key crypto: sender, receiver keys identical public-key crypto: encryption key public, decryption key secret (private) encryption algorithm decryption algorithm ciphertext plaintext plaintext

  9. Symmetric key cryptography substitution cipher: substituting one thing for another • monoalphabetic cipher: substitute one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq E.g.: Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc • Q: How hard to break this simple cipher?: • brute force (how hard?) • other?

  10. K K A-B A-B K (m) m = K ( ) A-B A-B Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K • e.g., key is knowing substitution pattern in mono alphabetic substitution cipher • Q: how do Bob and Alice agree on key value? encryption algorithm decryption algorithm ciphertext plaintext plaintext message, m K (m) A-B A-B

  11. Public Key Cryptography symmetric key crypto • requires sender, receiver know shared secret key • Q: how to agree on key in first place (particularly if never “met”)? public key cryptography • radically different approach [Diffie-Hellman76, RSA78] • sender, receiver do not share secret key • public encryption key known to all • private decryption key known only to receiver

  12. + K (m) B - + m = K (K (m)) B B Public key cryptography + Bob’s public key K B - Bob’s private key K B encryption algorithm decryption algorithm plaintext message plaintext message, m ciphertext

  13. K (K (m)) = m B B - + 1 2 Public key encryption algorithms Requirements: need K ( ) and K ( ) such that . . + - B B + given public key K , it should be impossible to compute private key K B - B RSA: Rivest, Shamir, Adelson algorithm

  14. Overview • What is network security? • Principles of cryptography • Authentication • Access control: firewalls • Attacks and counter measures

  15. Authentication Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0:Alice says “I am Alice” “I am Alice” Failure scenario??

  16. Authentication Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0:Alice says “I am Alice” in a network, Bob can not “see” Alice, so Trudy simply declares herself to be Alice “I am Alice”

  17. Alice’s IP address “I am Alice” Authentication: another try Protocol ap2.0:Alice says “I am Alice” in an IP packet containing her source IP address Failure scenario??

  18. Alice’s IP address “I am Alice” Authentication: another try Protocol ap2.0:Alice says “I am Alice” in an IP packet containing her source IP address Trudy can create a packet “spoofing” Alice’s address

  19. Alice’s password Alice’s IP addr “I’m Alice” Alice’s IP addr OK Authentication: another try Protocol ap3.0:Alice says “I am Alice” and sends her secret password to “prove” it. Failure scenario??

  20. Alice’s password Alice’s IP addr “I’m Alice” Alice’s IP addr OK Authentication: another try Protocol ap3.0:Alice says “I am Alice” and sends her secret password to “prove” it. Alice’s password Alice’s IP addr “I’m Alice” playback attack: Trudy records Alice’s packet and later plays it back to Bob

  21. encrypted password Alice’s IP addr “I’m Alice” Alice’s IP addr OK Authentication: yet another try Protocol ap3.1:Alice says “I am Alice” and sends her encryptedsecret password to “prove” it. Failure scenario??

  22. encrypted password Alice’s IP addr “I’m Alice” Alice’s IP addr OK Authentication: another try Protocol ap3.1:Alice says “I am Alice” and sends her encrypted secret password to “prove” it. encryppted password Alice’s IP addr “I’m Alice” record and playback still works!

  23. K (R) A-B Authentication: yet another try Goal:avoid playback attack Nonce:number (R) used only once –in-a-lifetime ap4.0:to prove Alice “live”, Bob sends Alice nonce, R. Alice must return R, encrypted with shared secret key “I am Alice” R Alice is live, and only Alice knows key to encrypt nonce, so it must be Alice! Failures, drawbacks?

  24. Overview • What is network security? • Principles of cryptography • Authentication • Access control: firewalls • Attacks and counter measures

  25. public Internet administered network firewall Firewalls isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. firewall

  26. Firewalls: Why prevent denial of service attacks: • SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connections. prevent illegal modification/access of internal data. • e.g., attacker replaces CIA’s homepage with something else allow only authorized access to inside network (set of authenticated users/hosts) two types of firewalls: • application-level • packet-filtering

  27. internal network connected to Internet via router firewall router filters packet-by-packet, decision to forward/drop packet based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type TCP SYN and ACK bits Packet Filtering Should arriving packet be allowed in? Departing packet let out?

  28. Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23. All incoming and outgoing UDP flows and telnet connections are blocked. Example 2: Block inbound TCP segments with ACK=0. Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside. Packet Filtering

  29. Overview • What is network security? • Principles of cryptography • Authentication • Access control: firewalls • Attacks and counter measures

  30. src:B dest:A payload Internet security threats Packet sniffing: • broadcast media • promiscuous NIC reads all packets passing by • can read all unencrypted data (e.g. passwords) • e.g.: C sniffs B’s packets C A B Countermeasures?

  31. src:B dest:A payload Internet security threats Packet sniffing: countermeasures • all hosts in organization run software that checks periodically if host interface in promiscuous mode. C A B

  32. src:B dest:A payload Internet security threats IP Spoofing: • can generate “raw” IP packets directly from application, putting any value into IP source address field • receiver can’t tell if source is spoofed • e.g.: C pretends to be B C A B Countermeasures?

  33. src:B dest:A payload Internet security threats IP Spoofing: ingress filtering • routers should not forward outgoing packets with invalid source addresses (e.g., datagram source address not in router’s network) • great, but ingress filtering can not be mandated for all networks C A B

  34. Malicious Software

  35. Virus Statistics • 1988: Less than 10 known viruses • 1990: New virus found every day • 1993: 10-30 new viruses per week • 1999: 45,000 viruses and variants Source: McAfee

  36. The Spread of the Sapphire/Slammer SQL Worm

More Related